Facebook had its third alarming bug in as many weeks, when a security researcher showed how a hostile website could obtain your Facebook information via Yelp. The hole is supposedly fixed, but then so were the prior two.

Facebook was vulnerable to hackers who pasted the right malicious code into text forms on Yelp, according to TechCrunch. Yelp is a special Facebook partner, and has unfettered access to certain user data — without user permission — under new, less private policies Facebook rolled out three weeks ago. The local-reviews site is one of a handful of Web properties granted such privileges under Facebook's "Instant Personalization" program.

Once a hacker pasted the right code into Yelp, he could transfer the user's Facebook credentials to his own site and reportedly have access to a user's public Facebook data, including email address, full name — not normally exposed on anonymous Yelp — profile photo, current location, friend list, and networks

Advertisement

Facebook told TechCrunch it closed the security hole, but it's been playing whack-a-mole on security for three weeks, ever since revamping its privacy framework at its "F8" developer's conference: First came a bug exposing user chats, then one that made regular, unauthorized websites look like privileged Facebook apps, which Facebook said was an unfortunate illusion.

Facebook chat is now down as the social network races to close a security hole that let people see…
Read more Read more

The surest way to keep you data safe from Facebook's bugs is to keep it off the social networking site in the first place. But many users have found their lives are intertwined with the site, which can be used to keep in touch with family members, RSVP to parties and share photos.

If you want to keep sharing on Facebook but avoid this specific type of vulnerability in the future, go to your Facebook home page, then select the "Account" menu in the upper-right corner of the page, then select "Privacy settings." Then click "Applications and websites," the third link.

Then scroll to the bottom of the page, to where it says "Instant Personalization Pilot Program," and click "Edit Setting," as shown (click to enlarge):

Then scroll to the checkbox under the picture and uncheck it, as shown (click to enlarge):

Then click "Confirm" on the resulting dialog. Doing this will make it harder for some websites to personalize your experience with Facebook data, but it will also lock your Facebook account against further security vulnerabilities on these outside websites, which Facebook does not control:

Now you'll at least be a bit safer — until the next round of Facebook privacy changes, and the new exploits that shake out from that.